Attention federal agencies looking to implement risk-based spending for cybersecurity: At the first quarterly event in the 2022 FAIR Conference series, Ignatius Liberto, Director, Cybersecurity Compliance and Oversight (IM-32), Office of the CIO, U. S. Department of Energy, presented a successful model for introducing and running quantitative cyber risk management in a government environment.
Watch the video of the presentation “Maturing A Quantitative Risk Management Program in the Federal Government” at FAIRCON22. FAIR Institute membership required to view – join now.
Liberto described the DOE’s “blended risk management methodology” that incorporates FAIR™ with standards, frameworks, and guidelines from FISMA, CISA, executive orders from the White House, the NIST CSF and RMF and the NIST 800 series. It responds to the many federal directives to implement risk-based budgeting (see this: How FAIR™ Can Help the US Federal Government Better Prioritize and Right-Size Its Cybersecurity Investments) and the recent Senate legislation, the Strengthening American Cybersecurity Act , that calls for a cyber risk management “model” applicable across the government.
Some key features of Energy’s model:
- Meets all the federal guidelines and standards in use at any of the department’s wings (the DOE operates on a “federated”, decentralized basis) – and is in line with policies coming down from the department’s leadership.
- Standardizes data gathering from SMEs, especially via the PO&AM planning process for FISMA and the department’s V&V (Validation and Verification of data) program.
- Works on a “platform” approach, with a complete suite of training materials, hands-on FAIR training (including calibration workshops), blueprints and case studies, monthly activities for a “community of practice”, as well as analysis generated by the RiskLens platform, with the goal of socializing the FAIR methodology across the department.
- Customizes FAIR training and procedures for the federal government and scales risk reporting to the needs of any level of government
- Keeps an eye on the prize: Helping executive leadership make risk-informed decisions for better cybersecurity management.
Liberto showed a sample of the many templates his team has developed for FAIR quantitative analysis of use cases; this one compares risk reduction and return on investment from training vs. not training incident response staff.
Some final words of advice applicable in or out of government: “Let your tactical success drive your program. Don’t get hung up on an enterprise-wide silver bullet strategy. Find tactical applications for the work and employ quantitative risk management for specific use cases to meet demands of your stakeholders.
Watch the video of the presentation “Maturing A Quantitative Risk Management Program in the Federal Government."